2

We have developed an Outlook Add-in for Outlook Web App that requires users to log in via Office 365 (oauth2). However on Safari, the setting “Prevent cross-site tracking”, which is enabled by default, prevents 3rd party cookies, and therefore it is not possible to establish a user session (as the session id is managed via cookies).

If we disable the setting “Prevent cross-site tracking”, then it works fine, so it is clear that this is the issue.

What is the advice from Microsoft on how to enable sessions for Outlook Add-ins where 3rd party cookies are disabled (as is the case in Safari)?

Gwyn Howell
  • 5,365
  • 2
  • 31
  • 48
  • From what I read, 'prevent cross-site tracking' isn't synonymous with blocking third party cookies. It depends on if you have visited the site recently, and I've seen posts that suggest just retrying the call may work (ref: https://stackoverflow.com/questions/61423774/error-aadsts50058-a-silent-sign-in-request-was-sent-but-no-user-is-signed-in). Are you using MSAL library? – Brian Clink May 06 '20 at 20:26
  • Recommend you to go through https://support.apple.com/en-in/guide/safari/sfri40732/13.0/mac/10.15 and https://webkit.org/blog/7675/intelligent-tracking-prevention/ to have a better understanding of “Prevent cross-site tracking” functionality in Safari. We would like you to confirm if this is a one time issue and log in flow works after enabling “Prevent cross-site tracking” back? – Outlook Add-ins Team - MSFT May 10 '20 at 07:55
  • Thanks for your response. I read the articles you provided, and learned that the cookie restrictions are only applied if the user hasn’t interacted directly with the website. So I visited the website and then the add-in worked as intended. Apologies for hitting SO before reading the docs! In response to your question - if I do not visit the website, then re-enabling "Prevent cross-site tracking" breaks the log in flow again (as I would expect it to). Thanks for your help. – Gwyn Howell May 11 '20 at 09:53
  • @GwynHowell Is there anything else you need from our side? – Outlook Add-ins Team - MSFT May 15 '20 at 08:09
  • We still have the issue where users who have not visited the site first are unable to log in. We are also experiencing that if Safari is closed and re-opened, then the cookies are removed, and therefore same problem - unable to log in. Do you have any advice or best practices on how to handle the case where a user has not visited the website in advance of opening the outlook add-in? – Gwyn Howell May 15 '20 at 13:44
  • It has been put on our backlog. Unfortunately, we have no timelines to share at this point. – Outlook Add-ins Team - MSFT Jun 03 '20 at 15:27
  • Any update on this? It seems to affect Outlook in iOS 14 too, and it not possibly to fix by allowing cross-site tracking – BoKDamgaard Oct 20 '20 at 12:14
  • We worked around this by forcing user login. You have to use Office.context.ui.displayDialogAsync method to retain session and prevent cross site issues. See docs here - https://learn.microsoft.com/en-us/office/dev/add-ins/develop/dialog-api-in-office-add-ins. – Gwyn Howell Oct 28 '20 at 10:25
  • @GwynHowell Did you ever come up with a solution? – camden_kid Jun 23 '21 at 15:34
  • @camden_kid yes - see my previous comment. You have to use the ms libs to display a dialog. You cannot do it using traditional js. Unfortunately, this means more dev work but we managed to get it working on the end. – Gwyn Howell Aug 04 '21 at 15:01

0 Answers0